Use RBAC Core (#20)

Also optimizes RBAC calculation.

Author: spjmurray

charts/identity/Chart.yaml

@@ -4,7 +4,7 @@ description: A Helm chart for deploying Unikorn's IdP
 
 type: application
 
-version: v0.1.16
-appVersion: v0.1.16
+version: v0.1.17
+appVersion: v0.1.17
 
 icon: https://raw.githubusercontent.com/unikorn-cloud/assets/main/images/logos/dark-on-light/icon.png

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/go-jose/go-jose/v3 v3.0.1
 	github.com/google/uuid v1.6.0
 	github.com/spf13/pflag v1.0.5
-	github.com/unikorn-cloud/core v0.1.12
+	github.com/unikorn-cloud/core v0.1.15
 	go.opentelemetry.io/otel v1.24.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.22.0
 	go.opentelemetry.io/otel/sdk v1.22.0

go.sum

@@ -263,6 +263,14 @@ github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65E
 github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
 github.com/unikorn-cloud/core v0.1.12 h1:I78A9dNMCMtth1WGrEEPhktyNOtQ33W52TIRuw2R4XA=
 github.com/unikorn-cloud/core v0.1.12/go.mod h1:G45rJ0e5LOdoFcD9C00wSuhe/AMeBC+tczmQSsS+0/Q=
+github.com/unikorn-cloud/core v0.1.13-0.20240322093852-bcfb70d6af1e h1:ekTbAcjXgU/D4FQLdwES9bGtpaavI6PpfqK1hN1ARxs=
+github.com/unikorn-cloud/core v0.1.13-0.20240322093852-bcfb70d6af1e/go.mod h1:G45rJ0e5LOdoFcD9C00wSuhe/AMeBC+tczmQSsS+0/Q=
+github.com/unikorn-cloud/core v0.1.13 h1:ewIi0wrvFa8u43Yb2IBEB+i5FaRqjcgJh4FWlwwXyOE=
+github.com/unikorn-cloud/core v0.1.13/go.mod h1:G45rJ0e5LOdoFcD9C00wSuhe/AMeBC+tczmQSsS+0/Q=
+github.com/unikorn-cloud/core v0.1.14 h1:Nk/2g40sf2IAEwQa1fDFcjINInFrw9sOa4rcnCNTQfQ=
+github.com/unikorn-cloud/core v0.1.14/go.mod h1:G45rJ0e5LOdoFcD9C00wSuhe/AMeBC+tczmQSsS+0/Q=
+github.com/unikorn-cloud/core v0.1.15 h1:avOh0uSvlgSgBzVdM/JUsdP0eYYO8pTaD0oQSUNLGDY=
+github.com/unikorn-cloud/core v0.1.15/go.mod h1:G45rJ0e5LOdoFcD9C00wSuhe/AMeBC+tczmQSsS+0/Q=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
 github.com/valyala/fasttemplate v1.2.1/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+qRAEEKiv+SiQ=

pkg/authorization/authenticator.go

@@ -18,9 +18,6 @@ limitations under the License.
 package authorization
 
 import (
-	"net/http"
-
-	"github.com/unikorn-cloud/core/pkg/authorization/accesstoken"
 	"github.com/unikorn-cloud/core/pkg/server/errors"
 	"github.com/unikorn-cloud/identity/pkg/jose"
 	"github.com/unikorn-cloud/identity/pkg/oauth2"
@@ -44,17 +41,6 @@ func NewAuthenticator(issuer *jose.JWTIssuer, oauth2 *oauth2.Authenticator) *Aut
 	}
 }
 
-func (a *Authenticator) Userinfo(r *http.Request) (interface{}, error) {
-	token := accesstoken.FromContext(r.Context())
-
-	claims, err := a.OAuth2.Verify(r, token)
-	if err != nil {
-		return nil, err
-	}
-
-	return claims, nil
-}
-
 func (a *Authenticator) JWKS() (interface{}, error) {
 	result, err := a.issuer.JWKS()
 	if err != nil {

pkg/handler/handler.go

@@ -22,6 +22,7 @@ import (
 	"fmt"
 	"net/http"
 
+	"github.com/unikorn-cloud/core/pkg/authorization/userinfo"
 	"github.com/unikorn-cloud/core/pkg/server/errors"
 	"github.com/unikorn-cloud/identity/pkg/authorization"
 	"github.com/unikorn-cloud/identity/pkg/generated"
@@ -134,14 +135,8 @@ func (h *Handler) PostOauth2V2Token(w http.ResponseWriter, r *http.Request) {
 }
 
 func (h *Handler) GetOauth2V2Userinfo(w http.ResponseWriter, r *http.Request) {
-	result, err := h.authenticator.Userinfo(r)
-	if err != nil {
-		errors.HandleError(w, r, err)
-		return
-	}
-
 	h.setUncacheable(w)
-	util.WriteJSONResponse(w, r, http.StatusOK, result)
+	util.WriteJSONResponse(w, r, http.StatusOK, userinfo.FromContext(r.Context()))
 }
 
 func (h *Handler) GetOauth2V2Jwks(w http.ResponseWriter, r *http.Request) {

pkg/middleware/openapi/local/authorizer.go

@@ -21,9 +21,9 @@ import (
 	"net/http"
 	"strings"
 
-	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/getkin/kin-openapi/openapi3filter"
 
+	"github.com/unikorn-cloud/core/pkg/authorization/userinfo"
 	"github.com/unikorn-cloud/core/pkg/server/errors"
 	"github.com/unikorn-cloud/identity/pkg/oauth2"
 )
@@ -57,7 +57,7 @@ func getHTTPAuthenticationScheme(r *http.Request) (string, string, error) {
 }
 
 // authorizeOAuth2 checks APIs that require and oauth2 bearer token.
-func (a *Authorizer) authorizeOAuth2(r *http.Request) (string, *oidc.UserInfo, error) {
+func (a *Authorizer) authorizeOAuth2(r *http.Request) (string, *userinfo.UserInfo, error) {
 	authorizationScheme, token, err := getHTTPAuthenticationScheme(r)
 	if err != nil {
 		return "", nil, err
@@ -68,15 +68,26 @@ func (a *Authorizer) authorizeOAuth2(r *http.Request) (string, *oidc.UserInfo, e
 	}
 
 	// Check the token is from us, for us, and in date.
-	if _, err := a.authenticator.Verify(r, token); err != nil {
+	claims, err := a.authenticator.Verify(r, token)
+	if err != nil {
 		return "", nil, errors.OAuth2AccessDenied("token validation failed").WithError(err)
 	}
 
-	return token, nil, nil
+	permissions, err := a.authenticator.GetRBAC().UserPermissions(r.Context(), claims.Subject)
+	if err != nil {
+		return "", nil, errors.OAuth2AccessDenied("failed to get user permissions").WithError(err)
+	}
+
+	ui := &userinfo.UserInfo{
+		Claims: claims.Claims,
+		RBAC:   permissions,
+	}
+
+	return token, ui, nil
 }
 
 // Authorize checks the request against the OpenAPI security scheme.
-func (a *Authorizer) Authorize(authentication *openapi3filter.AuthenticationInput) (string, *oidc.UserInfo, error) {
+func (a *Authorizer) Authorize(authentication *openapi3filter.AuthenticationInput) (string, *userinfo.UserInfo, error) {
 	if authentication.SecurityScheme.Type == "oauth2" {
 		return a.authorizeOAuth2(authentication.RequestValidationInput.Request)
 	}

pkg/oauth2/federated.go

@@ -86,6 +86,10 @@ func New(options *Options, namespace string, client client.Client, issuer *jose.
 	}
 }
 
+func (a *Authenticator) GetRBAC() *rbac.RBAC {
+	return a.rbac
+}
+
 type Error string
 
 const (

pkg/rbac/rbac.go

@@ -21,38 +21,13 @@ import (
 	"slices"
 	"strings"
 
+	"github.com/unikorn-cloud/core/pkg/authorization/rbac"
 	"github.com/unikorn-cloud/core/pkg/authorization/roles"
 	unikornv1 "github.com/unikorn-cloud/identity/pkg/apis/unikorn/v1alpha1"
 
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-// GroupPermissions are privilege grants for a project.
-type GroupPermissions struct {
-	// ID is the unique, immutable project identifier.
-	ID string `json:"id"`
-	// Roles are the privileges a user has for the group.
-	Roles []roles.Role `json:"roles"`
-}
-
-// OrganizationPermissions are privilege grants for an organization.
-type OrganizationPermissions struct {
-	// IsAdmin allows the user to play with all resources in an organization.
-	IsAdmin bool `json:"isAdmin,omitempty"`
-	// Name is the name of the organization.
-	Name string `json:"name"`
-	// Groups are any groups the user belongs to in an organization.
-	Groups []GroupPermissions `json:"groups,omitempty"`
-}
-
-// Permissions are privilege grants for the entire system.
-type Permissions struct {
-	// IsSuperAdmin HAS SUPER COW POWERS!!!
-	IsSuperAdmin bool `json:"isSuperAdmin,omitempty"`
-	// Organizations are any organizations the user has access to.
-	Organizations []OrganizationPermissions `json:"organizations,omitempty"`
-}
-
 // RBAC contains all the scoping rules for services across the platform.
 type RBAC struct {
 	client    client.Client
@@ -80,16 +55,20 @@ func (r *RBAC) GetOrganizatons(ctx context.Context) (*unikornv1.OrganizationList
 
 // UserPermissions builds up a hierarchy of permissions for a user, this is used
 // both internally and given out to resource servers via token introspection.
-func (r *RBAC) UserPermissions(ctx context.Context, email string) (*Permissions, error) {
-	permissions := &Permissions{}
+//
+//nolint:cyclop
+func (r *RBAC) UserPermissions(ctx context.Context, email string) (*rbac.Permissions, error) {
+	permissions := &rbac.Permissions{}
 
 	organizations, err := r.GetOrganizatons(ctx)
 	if err != nil {
 		return nil, err
 	}
 
 	for _, organization := range organizations.Items {
-		organizationPermissions := OrganizationPermissions{}
+		var isAdmin bool
+
+		var groups []rbac.GroupPermissions
 
 		for _, group := range organization.Spec.Groups {
 			// TODO: implicit groups.
@@ -104,18 +83,33 @@ func (r *RBAC) UserPermissions(ctx context.Context, email string) (*Permissions,
 
 			// Hoist admin powers.
 			if slices.Contains(group.Roles, roles.Admin) {
-				organizationPermissions.IsAdmin = true
+				isAdmin = true
 			}
 
-			organizationPermissions.Groups = append(organizationPermissions.Groups, GroupPermissions{
+			// Remove any special roles.
+			minifiedRoles := slices.DeleteFunc(group.Roles, func(role roles.Role) bool {
+				return role == roles.SuperAdmin || role == roles.Admin
+			})
+
+			if len(minifiedRoles) == 0 {
+				continue
+			}
+
+			groups = append(groups, rbac.GroupPermissions{
 				ID:    group.ID,
-				Roles: group.Roles,
+				Roles: minifiedRoles,
 			})
 		}
 
-		if organizationPermissions.IsAdmin || len(organizationPermissions.Groups) > 0 {
-			permissions.Organizations = append(permissions.Organizations, organizationPermissions)
+		if !isAdmin && len(groups) == 0 {
+			continue
 		}
+
+		permissions.Organizations = append(permissions.Organizations, rbac.OrganizationPermissions{
+			Name:    organization.Name,
+			IsAdmin: isAdmin,
+			Groups:  groups,
+		})
 	}
 
 	return permissions, nil